Bug 1064149

Summary: unbound and ldns are disabled ECDSA support for DNSSEC
Product: [Fedora] Fedora Reporter: sshida
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 20CC: ilari.stenroth, pwouters, thozza, vonsch, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-08 12:53:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019390    

Description sshida 2014-02-12 06:09:55 UTC 
Description of problem:
- ECDSA is Eliptic Curve Digital Signature Algorythm.
- ECDSA is supported DNSSEC (RFC 6605)
- Both unbound and ldns support ECDSA
- But in Fedora 20, unbound and ldns does not support ECDSA 
  as compiled with --disable-ecdsa.

Version-Release number of selected component (if applicable):
- Fedora 20

How reproducible:
- see spec file of unbound and ldns

Steps to Reproduce:
1. grep ecdsa ldns.spec
2. grep ecdsa unbound.spec

Actual results:
$ grep ecdsa ldns.spec
%configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \
   --disable-ecdsa \
   --disable-ecdsa \
- Added --disable-ecdsa as ECC is still banned

% grep ecdsa unbound.spec
            --enable-sha2 --disable-gost --disable-ecdsa \

Expected results:
- not seen "--disable-ecdsa" in ldns.spec, unbound.spec
- ECDSA test is passed

Additional info:
- Simillar bugs has solved also apache httpd, ssh, curl.
Comment 1 Ilari Stenroth 2015-01-31 22:07:40 UTC 
CloudFlare is planning to launch DNSSEC with ECDSA keys. RHEL/Fedora/CentOS provided Unbound will not be able to verify DNS replies for domains that CloudFlare is hosting if this issue is not resolved.
Comment 2 Ilari Stenroth 2015-01-31 22:18:03 UTC 
See also bug #1019390.
Comment 3 Paul Wouters 2015-02-02 15:33:40 UTC 
oops. it was only enabled for el6, not fedora branches. I will push out updates now.

Note unbound no longer requires ldns (but ldns should also be fixed to enable support for it)
Comment 4 Tomáš Hozza 2015-04-08 12:53:41 UTC 
Both, unbound and ldns are compiled with ECDSA support in F21+